Mr Robot:1 CTF Walkthrough

Mr Robot: 1 CTF (Capture the Flag) is a downloadable Virtual Machine from Vulnhub. Which is a site that has purposely built Virtual machines for you to hack. Each one varies in difficulty and allows you to hone your skills and even pick up new ones.

Description:
Based on the show Mr Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is Progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

So I downloaded the virtual machine from vulnhub and then just double clicked the mrRobot.ova file and it set its self up in virtualbox.

I set the network up so only the Mr Robot VM and kali Linux where on the same subnet, to make it easier to find and you don’t really want to be exposing Vulnerable Virtual machines on your live network. The VM has DHCP enabled so it gets a DHCP lease straight off the bat.

My first step is to find out what ip the VM is on and what goodies it has to offer, So I run Nmap to find all this out for me.

As you can see looks like we have an Apache web server running with ports 80 and 443 open, so lets check them out first.

With both http and https we get presented with a cool animation of a linux terminal booting up and Mr Robot logging in.

At the prompt the only commands that work are the 6 listed above. Each one takes you to its own page which contains all sorts of Mr Robot propaganda it looks like its a rip of a Mr Robot promotional website. Took note of each page just in case i needed it later.

Looking at the source we can see this animation has been created in javascript also there is some interesting info on line 15, I would like to just add “i am not expert in javascript” but it looks like if you have an ip of 208.185.115.6 you get taken to index.html.

Boom! So it looks like I have found key-1-of-3.txt and a fsocity.dic file .

I first navigate to the key file at http://192.168.1.103/key-1-of-3.txt and get the first key 073403c8a58a1f80d943455fb30724b9

Then I download fsocity.dic which is just a dictionary file, I’m guessing this is something that we will have to use later so ill keep that somewhere safe.

When the dictionary file had finished downloading, I kind of just mashed the keyboard with adfsda after the IP address and I received wordpress 404 page as below

Clicking around the menus, I quite quickly found the Word Press login page at http://192.168.1.103/wp-login.php

Now we know its a Word Press site we can try and enumerate users using Wpscan

wpscan --url 192.168.1.103 --enumerate u

This actually did not find any users for me, so I started to use process of elimination and tried admin, root and user all giving me a Invalid username

So still with no users, I start to use names from characters in the TV series, starting at mrrobot, flipper and then we get a hit with elliot ..

Cool so we have a user the next step will be to use that dictionary file we downloaded earlier and see if we can brute force the password for this account. so lets take a look at the dictionary file…

first thing I notice when I cat the dictionary file is that its not in any sequential order. This can rectified by just running a sort command in the Linux terminal

sort fsocity.dic >fsocitysorted.dic

I cat the new fsocitysorted.dic file and noticed there are a lot of repeated words, so we can run the sort command again but pipe it into the uniq command as below, giving us a nice and tidy dictionary file for us to run our brute force against.

sort fsocity.dic | uniq > fsocitysortunique.dic

So lets use wpscan again to brute force the login using our new dictionary file as so.

So it looks like we have a username and a md5 hashed password.. I could run this through hashcat but I thought as this is a easy hackable VM, I would google the hash first and as I thought the hash comes back quite quickly as abcdefghijklmnopqrstuvwxyz.

I try and switch user to robot but I keep getting a message telling me that su must be run from terminal.

su robot
su: must be run from a terminal

This shows that we don’t have a proper shell running, so we can use a bit of python foo to get full terminal access using this command below.

python -c 'import pty; pty.spawn("/bin/bash")'

We can tell we are in the proper shell as the start of the line tells us what user we are, the name of the server and then what folder we are in.

Now with key 2 found we just have one more to find. I’m guessing to do this we need to escalate privileges again to become the root user. I tried a few exploits off exploitDB but none of these worked so i started looking at other ways to get to root.

so we escalated our privileges to root through the interactive shell and navigated to the root folder as u can see above this holds our final key which we cat to give us ….

cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Now we have all 3 keys that’s this Virtual Machine done… It was a really good virtual machine to get started with, also finding out about the privilege escalation using Nmap was fantastic and being a fan of Mr Robot TV show really helped with keeping me interested.

Going to go have another look at vulnhub and see if there are anymore TV/Movie tie ins that I can sink my teeth into….